-
Notifications
You must be signed in to change notification settings - Fork 0
Home
The validity confirmation service or OCSP service allows you to ask for real-time status information on any certificate issued by SK (incl the ID-card, Smart-ID and Mobile-ID certificates). OCSP is a simple client-server service that follows the RFC 6960 standard. Simply put, the OCSP client sends a request to the OCSP responder (server) about the validity of a certificate, to which the responder sends a response that contains information about the status of the given certificate (valid/not valid), and the timestamp for the confirmation. The response is digitally signed.
| OCSP URL | http://ocsp.sk.ee/ |
| Service certificate, used for signing the response | SK OCSP RESPONDER 2011 |
| Test OCSP URL | http://demo.sk.ee/ocsp |
| Usage terms | Teenuse kasutamise üldtingimused (in Estonian) v 4.0, valid from 01.10.2018 |
| Responses to a correct request | GOOD - certificate is valid REVOKED - certificate is not valid UNKNOWN - no information on the validity of the certificate provided The positive response from OCSP means that the certificate has been issued and was valid at the time of the issuance of the response. As an exception, the GOOD response will be given also for an expired certificate issued under ESTEID2018 CA, provided that the certificate has not been revoked or suspended. The checking of validity in time must be done on the service side, in accordance with RFC 6960. |
| Supported extensions | OCSP Nonce (1.3.6.1.5.5.7.48.1.2) |
| Supported algorithm of the response | sha256WithRSAEncryption |
| Limitations | CertID parameters are supported in the form of sha1 hash |
| Access to the service | IP limit or access certificate based |
Information regarding the possibilities for access, prices, etc., of the validity verification service can be found at http://www.sk.ee/en/services/validity-confirmation-services/.
| No. | Use Case | ocsp.sk.ee Status Value | aia.sk.ee Status Value |
|---|---|---|---|
| 1. | Certificate is active | GOOD | GOOD |
| 2. | Certificate is active but expired | REVOKED | GOOD |
| 3. | Certificate is revoked | REVOKED | REVOKED |
| 4. | Certificate is temporarily revoked (suspended) | REVOKED | REVOKED revocation reason: certificateHold |
| 5. | Certificate is not issued by the CA (unknown issuer) | UNKNOWN | REVOKED revocation reason: certificateHold |
| 6. | Certificate is not issued by the CA (known issuer) Certificate is unknown to the CA, although it may have been issued by a CA that is known to OCSP |
UNKNOWN | REVOKED revocation reason: certificateHold |